Avast wi-fi experiment
The LogJam vulnerability allows hackers to target weakened encryption protocols used to secure online communications including email, VPNs, and mail servers. Reuters

First there was Heartbleed, then Poodle, Shellshock, and Freak, and now we have LogJam - the latest vulnerability to be uncovered which is threatening our online security.

The bug is very similar to the Freak flaw uncovered in March 2015 which affected the cryptographic protocols which are used to secure online communications.

What is LogJam?

LogJam, detailed by researchers this week, is a vulnerability which could allow hackers to monitor secure online communications by taking advantage of a deliberately weakened security protocol which is a legacy of the 1990s (see more on this below).

This means that should hackers (or government agencies) wish to do so, they could monitor and capture you private emails, passwords, banking credentials, and much more, despite websites, mail servers and VPNs using the "secure" HTTPS standard.

How does LogJam work?

Many websites and mail servers exchange what is known as a Diffie-Hellman encryption key when they are communicating with end users and the LogJam researchers have discovered that these keys are not as secure as previously thought.

The flaw would allow an attacker to downgrade the encryption protocol used in secure online communications (known as TLS) to 512-bit "export-grade" cryptography which is relatively easier to crack.

But that's not the only problem...

The researchers also found that the vast majority of servers reset the same few long numbers to generate their Diffie-Hellman keys which means hackers could simply focus on these numbers to crack the encryption.

How many websites are affected by LogJam?

According to the researchers, 8.4% of the top million domains on the internet are affected, which makes LogJam a pretty big problem. The researchers go further, suggesting that if the most common 1024-bit number used to generate Diffie-Hellman keys has been cracked (by, say, a nation state) then up to 18% of the top one million domains are at risk.

Unlike Freak which only affected certain web browsers, LogJam affects all browsers including Chrome, Internet Explorer, Firefox and Safari.

Has LogJam been exploited?

We can't say for certain yet if the LogJam vulnerability has been exploited in the wild, but in their white paper on the flaw, the researchers suggest that the US government could have exploited it:

"We estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break."

Can it be fixed?

Yes, the fix is relatively easy. Just stop using the weaker Diffie-Hellman encryption keys and reject anything less that 1024-bit. The problem is that while browsers can easily block these (as most are now doing), it requires those in charge of websites and servers to manually tweak the settings of vulnerable services which could take some time.

How do I check if I am vulnerable to LogJam attack?

Simply visit this website on your browser and it will tell you if you are vulnerable.

Why does LogJam exist?

The problem dates back to the early 1990s when the US government decided that it wanted to weaken the encryption standards on products being shipped overseas by US companies.

It required the companies to downgrade the encryption being used from strong RSA grade encryption to "export-grade" encryption. At the time this "export-grade" encryption was still relatively strong, requiring a supercomputer to be able to crack the 512-bit encryption key, meaning only the US government were likely to be able to exploit the vulnerability.

However with the rapid advance in computing, this is no longer the case, and with access to huge computing power through the likes of Amazon's cloud computing service AWS, anyone could potentially exploit the LogJam bug.

What do the experts say about LogJam?

Ivan Ristic, from Qualys, says LogJam is a reminder that supporting outdated security methods is not best practice:

Ken Simpson, CEO of MailChannels calls LogJam an "extreme threat" to your cyber-security:

Bob West from CipherCloud points out the dangers of deliberately putting backdoors into our systems: